Community discussions

MikroTik App
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mēris botnet information

Fri Sep 10, 2021 1:43 pm

Many of you have asked, what is this Mēris botnet that some news outlets are discussing right now, and if there is any new vulnerability in RouterOS.

As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.

Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.

We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.

As far as we know right now - There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several contractors.

If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you, especially if this configuration APPEARED NOW, RECENTLY, WHILE RUNNING A NEW ROUTEROS RELEASE: Please contact us immediately.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Fri Sep 10, 2021 1:48 pm

More specifically, we suggest to disable SOCKS and look in the System -> Scheduler menu. Disable all rules you can't identify. By default, there should be no Scheduler rules, and SOCKS should be off.
 
mafiosa
Member Candidate
Member Candidate
Posts: 266
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:

Re: Mēris botnet information

Fri Sep 10, 2021 3:41 pm

Is socks present in v7.1 RC3?
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Mēris botnet information

Fri Sep 10, 2021 3:52 pm

Since these infected users still appear to be upgrading to recent RouterOS versions, can the upgrade process look for non-Mikrotik binaries or other signs of infection and warn the administrator to netinstall? If there was a system exploit to run arbitrary code, simply removing socks and scripts and adding a firewall is not enough, as RouterOS does not allow admins to see all processes running on the router. A netinstall is the only way to be sure.

I highly doubt an open socks proxy or similar is responsible for DDOS as that means the attacker still has to generate the traffic elsewhere.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Fri Sep 10, 2021 3:59 pm

There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
 
mada3k
Long time Member
Long time Member
Posts: 682
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Mēris botnet information

Fri Sep 10, 2021 6:58 pm

What was the entry point for the vulnerability - non-firewalled winbox, socks or http ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Fri Sep 10, 2021 7:01 pm

The most entry point is the same username and password on all devices after 4 years...
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Mēris botnet information

Fri Sep 10, 2021 9:32 pm

There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
What native functions in RouterOS support sending pipelined HTTP requests at these kind of rates? I find it unlikely that the attackers are simply proxying their DDoS traffic through infected Mikrotik devices - why not attack the target directly if they have that much bandwidth available? Especially as they do not know the upstream bandwidth or CPU power of the infected device, not all the proxied traffic is likely to make it out so it would actually reduce the power of their attack. This doesn't make sense.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Fri Sep 10, 2021 10:31 pm

Starting today I see a new flood of random GRE traffic on the internet, not sure if it is caused by this botnet or if it is just coincidence.
It appears to consist of GRE packets with random addresses both outside and inside, and with a UDP payload with random portnumbers and 512 bytes of random data.
Likely they hope that some places will just unpack such GRE traffic when sent to them, and then forward the tunneled traffic. But I don't think MikroTik routers would do that, they would only accept GRE traffic from sources that are configured as peers in a GRE tunnel, right?
But I have seen such storms before, probably during earlier botnet outbreaks.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Fri Sep 10, 2021 11:29 pm

On GRE you can omit only the local source, but you must specify the remote address...
The source can be spoofed, but I hope no one extabilish GRE link on Internet without at least IPsec...
 
User avatar
jwshields
just joined
Posts: 6
Joined: Wed Aug 05, 2020 2:34 am
Location: Seattle, WA, USA
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 12:49 pm

For the last few days/week or two, I've been receiving a higher than normal amount of tcp portscans and small attacks against my home network. They all seem to be coming from the same IPs, or at least the same /24, usually they seem to be either scanning huge groups of around 10k or more ports each time, or they're continually hitting the same port over and over.
Might not be related to this botnet, but I thought I'd share some oddities I've been seeing
 
mada3k
Long time Member
Long time Member
Posts: 682
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Mēris botnet information

Sat Sep 11, 2021 1:18 pm

Starting today I see a new flood of random GRE traffic on the internet, not sure if it is caused by this botnet or if it is just coincidence.
It appears to consist of GRE packets with random addresses both outside and inside, and with a UDP payload with random portnumbers and 512 bytes of random data.
I also have seen them

These types of lower-level attacks and exploits is quite scary. Some equipment by default picks up ICMP, GRE, ESP/AH packets and other non-TCP/UDP packets and process them in the kernel. Sometimes it's default to allow IPSec IKE as well.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Sat Sep 11, 2021 2:02 pm

This shows number of hits on my router on port 8291 Winbox, last 4 month. It only counts one IP for each user a day, since all who tries to access a non open port are blocked for 24 hours. There has been no increase of traffic.
8291.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 2:44 pm

Based on my experience installing MOAB for many users .. 100% had very poor firewall security measures due to ignorance and or lack of diligence ... once a router has been compromised the ONLY recourse is to netinstall and manually configure ... MikroTik should make the Netinstall procedure much more transparent [much easier to use] since many get confused by the procedures needed. The DEFAULT firewall currently provided by MikroTik is an excellent starting point ... unfortunately many ignore it.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Sat Sep 11, 2021 2:58 pm

One of many problems is that many router are at remote location and netinstall only works locally. Some are high up in tower or roof tops etc.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 2:59 pm

Netinstall work also remotely...
If you have at least on control one device, you can netinstall remotely the others...
Obviously exceptions apply.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 3:15 pm

Based on my experience installing MOAB for many users .. 100% had very poor firewall security measures due to ignorance and or lack of diligence ... once a router has been compromised the ONLY recourse is to netinstall and manually configure ... MikroTik should make the Netinstall procedure much more transparent [much easier to use] since many get confused by the procedures needed. The DEFAULT firewall currently provided by MikroTik is an excellent starting point ... unfortunately many ignore it.
yes, it would be helpful for Mikrotik to make a video that explains their default firewall and to let new users know that they should ignore 98% of the crap on youtube and to go to the forum to get advice when changing the default firewall rules. Concur the netinsall process is a tad convoluted and any way to make it more intuitive or easier would be appreciated.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Sat Sep 11, 2021 8:39 pm

Second posting here.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 10:12 pm

And how to check router against Meris malware? Are there any tips how to check and fix? Is there official cure realise?
As stated in the first post:

If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Sat Sep 11, 2021 11:09 pm


Speaking of the latter point: keeping up to date IP lists is harder than it needs to be. For example, MikroTik script limits file access to 4 kilobytes, and while there is a workaround to load IP lists up to 63K, it leaves little room for growth if your IP lists have comments. Is there a better way coming in new RouterOS? :) [/url].
That 63K has also been been resolved see last posting in the mentioned tread. Import can as large till the router runs out of storage space.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 11:31 pm

I have invented that method, and is not a hack, is just how http protocol work...

How to download only one piece of file at a time with /tool fetch and put it inside a variable
viewtopic.php?f=9&t=177530

"fetch" is already planned to be managed in the future for file not found, file change. redirect, etc. this is an example:
manage fetch errors
viewtopic.php?f=2&t=178355&p=878643#p878643
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Sat Sep 11, 2021 11:56 pm

I know when the blacklists I use are updated, simly do not update at same time, nothing particularly difficult...

That's arguing semantics.
You're starting to write like a troll.
Have you just registered to disturb?
Nobody forces you to use published scripts.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Sun Sep 12, 2021 12:03 am

Hahahahaha, I love the HTTP Range header hack! But I think you will agree that it is brittle: it is not guaranteed that the server won't change the file in between your 64K chunk requests and make the internal state of your script inconsistent.
There is indeed a delay between the read chunks. The script already cut away the first line and a part of the last lines so that there are clean lines to be imported.
I don't think it is feasable to first fill a loop of subquential array's to minimize the time taken between the chunks read while filling the address-list. An other method could be checking on each loop if the size of the file has changed in the meantime, I can't see the time of the file to download, so that is not an option. If so then the import could restart.

Then, how far do want to go to exclude every point of failure and the import is also logged by default. Checking the log always a good routine.

Edit: the script has been adapted to detect changes in file-size during import. It will retry a set number of times and then give an warning on failure that the user has check if the list is still being maintained.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: Mēris botnet information

Sun Sep 12, 2021 3:59 pm

I wonder if there is some traffic amplification bug in the socks proxy, this doesn't make any sense to use as a DDOS botnet if you still have to originate all the attack traffic. I suppose it makes an attack harder to block when it originates from thousands of infected IPs, but based on volume this has to significantly reduce the attack power vs raw volumetric outbound traffic.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Mēris botnet information

Sun Sep 12, 2021 4:29 pm

Edit: the script has been adapted to detect changes in file-size during import. It will retry a set number of times and then give an warning on failure that the user has check if the list is still being maintained.
@msatter

The only list that I am aware of that may undergo changes is firehol_level1 where the check frequency is 1 minute ... Personally I would not be concerned with changes that takes place by the minute or by the hour .....

Cybercrime IP Feeds by FireHOL exploits HUNDREDS of lists ... IMO its the most comprehensive system built which is why I use them for MOAB.

The code you have been working on would benefit the MikroTik community greatly [and put MOAB out of business] if you adapted the code to exploits the lists that FireHOL produces -- the only caveat being that there is a significant number of duplicate IP's when merging the lists plus the numeric sequence is important to improve performance -- if the numeric sequence is random the insertion takes longer.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Sun Sep 12, 2021 6:23 pm

@mozerd, I invented "How to download only one piece of file at a time with /tool fetch and put it inside a variable"
viewtopic.php?f=9&t=177530
If I didn't, @msatter would have nothing to work with...
I made the code available to everyone, but it's not really polite to credit @msatter,
but @msatter is to be thanked for taking the development forward.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Mēris botnet information

Sun Sep 12, 2021 7:01 pm

@rextended
Your contribution is very much appreciated, IMO, by everyone. @msatter code exploitation is outstanding and I certainly would like to encourage the development because the MikroTik community would derive excellent benefits.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Sun Sep 12, 2021 9:25 pm

Nothing to add, is true, thanks.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Sun Sep 12, 2021 11:51 pm

Cybercrime IP Feeds by FireHOL exploits HUNDREDS of lists ... IMO its the most comprehensive system built which is why I use them for MOAB.

The code you have been working on would benefit the MikroTik community greatly [and put MOAB out of business] if you adapted the code to exploits the lists that FireHOL produces -- the only caveat being that there is a significant number of duplicate IP's when merging the lists plus the numeric sequence is important to improve performance -- if the numeric sequence is random the insertion takes longer.
Reading the a list was no problem and using the delimiter allows that IP addresses and IP addresses with range are imported. I did not found it slow on importing and RouterOS will sort the lists. I assume that is done on the moment it is being displayed and in stages.

Merging different lists is an different thing and is best database driven. I am not into that. ;-)

I tested with the FireHOL Level2 list: viewtopic.php?f=9&t=152632&p=879181#p825755 and you have now to supply also the list name without spaces.

The import script is updated, so that on failure the old list is being restored. On successful import the the temporary backup is removed.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Mon Sep 13, 2021 12:30 am

Can we stop the off-topic discussion about address lists or move it to some other topic?
 
brg3466
Member Candidate
Member Candidate
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

Re: Mēris botnet information

Mon Sep 13, 2021 2:54 am

This shows number of hits on my router on port 8291 Winbox, last 4 month. It only counts one IP for each user a day, since all who tries to access a non open port are blocked for 24 hours. There has been no increase of traffic.
Hello Jotne,
would you mind share your script on how to "block the outside IP for 24hrs if they tries to access your non-open port " ? I think it is a good way to prevent those attacks.

Thanks !
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: Mēris botnet information

Mon Sep 13, 2021 9:28 am

Must be mentioned:

Do not use the same passwords from 2018 ever again!

Even on different routers. The hackers who obtained system user database files via CVE-2018-14847 may apply brute force to try every stolen password on every MikroTik (and maybe even non-MikroTik) device. For example, you had the "#My sUp3R(!) Secr37 P@ssword" password back in 2018. Then you heard about CVE-2018-14847, upgraded RouterOS, changed the password, and verified that there were no malicious scripts. In 2021, you've bought a new router and considering using the old and forgotten #My sUp3R(!) Secr37 P@ssword" again... NO! Don't do this!

Also, changing passwords from something like "jF9ikfW21u-01" to "jF9ikfW21u-02" is not a good idea either due to an iterable pattern.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Mon Sep 13, 2021 10:15 am

(I'm curious to know from now how many people will use the password "#My sUp3R(!) Secr37 P@ssword" :) )
 
djdrastic
Member
Member
Posts: 367
Joined: Wed Aug 01, 2012 2:14 pm

Re: Mēris botnet information

Mon Sep 13, 2021 11:07 am

I had a friend replace his ISP CPE router with a CCR running 6.47.10 over the weekend and he got compromised within probably 5 minutes of initial configuration.Had a socks server running with some weird scheduled tasks after compromise. We netinstalled but really will wait it out until there's better info on what's going on before trying to replace isp router.

I suspect he didn't set his firewall rules correctly on the WAN side so he had services exposed to public internet.Password he said he generated uniquely out of onepass so shouldn't have been a dictionary attack.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mēris botnet information

Mon Sep 13, 2021 11:09 am

CCR comes without any default configuration and that includes firewall. So it is essential to do all the configuration before ever exposing it to WAN. And that includes solid firewall rules which is not an easy task for novice ROS user.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Mon Sep 13, 2021 11:28 am

CCR comes without any default configuration and that includes firewall.
It even comes without password! Like almost all MikroTik devices, the admin password is empty on first run. So when it was connected before the password was set, it was quite easy to hack it!
On a "home" device there is protection from the firewall, but still this is something that is frowned upon in 2021.
Most other router manufacturers now deliver their devices with a default password shown on a sticker these days, but MikroTik does this only on a few devices (like "wireless wire") that are sold as preconfigured plug-and-play solutions.
 
djdrastic
Member
Member
Posts: 367
Joined: Wed Aug 01, 2012 2:14 pm

Re: Mēris botnet information

Mon Sep 13, 2021 12:43 pm

Aye agree with you guys.I wasn't present so cannot comment how he configured it initially.
From what I gather he did set the password initially before configuring the WAN as he is required to set a static /30 with his provider to make his circuit work.
 
mada3k
Long time Member
Long time Member
Posts: 682
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Mēris botnet information

Mon Sep 13, 2021 1:06 pm

But this was related to Winbox? (that I've never used and always had the service disabled)

What "novice user" buys a CCR? A Cisco also comes with a blank password by default.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Mon Sep 13, 2021 1:11 pm

Hello Jotne,
would you mind share your script on how to "block the outside IP for 24hrs if they tries to access your non-open port " ? I think it is a good way to prevent those attacks.
Here you go:
viewtopic.php?f=23&t=178496
 
brg3466
Member Candidate
Member Candidate
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

Re: Mēris botnet information

Mon Sep 13, 2021 7:16 pm

Thanks again !
 
maigonis
Member Candidate
Member Candidate
Posts: 180
Joined: Sat Jul 20, 2019 8:16 pm

Re: Mēris botnet information

Tue Sep 14, 2021 10:31 pm

To defend my home router I follow technique "Block all, allow a few". I have configured my firewall to allow a few ports that I need and block all other input, including from LAN, only allow my main PC network and VPN to access it. Winbox access, shh, ftp etc are allowed only from those network too, so to access my router remotely I need to connect to VPN. That is the safest option in my opinion.

I have blocked ping also, so no target scanner can ping my network. Of course hackers can attack my host blindly, but that mitigates some portion of attacks. Also always generate strong passwords and use them once (as mentioned already). I use password manager to generate and store my password, so i don't have to remember them.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Wed Sep 15, 2021 9:02 am

 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Mēris botnet information

Wed Sep 15, 2021 9:26 am

Is there a possible vulnerability for MNDP on UDP 5678? I've seen this mentioned before, that the Meris botnet devices all seem to have UDP 5678 open, but is this indicative of a vulnerability in MNDP, or instead just a means for the botnet to relocate nodes that have possibly changed IPs and that it has lost track of for whatever reason?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Wed Sep 15, 2021 9:30 am

It's just a way to find MikroTik devices, as far as we know. The main intrusion vector right now is admin/no password + Windows malware.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Wed Sep 15, 2021 11:19 am

Does the Windows malware also attempt to find "saved passwords" in e.g. winbox addresses.cdb and browser password save features?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mēris botnet information

Wed Sep 15, 2021 11:25 am

If I wrote a malware, it would be the first thing I would do to take away the passwords stored in "Windows Vault" / WinBox / Dude / Firefox, Google, Edge passwords saved on the browser, e-mail passwords saved on thunderbird, outlook, etc.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Mēris botnet information

Wed Sep 15, 2021 12:42 pm

I have a firewall on Windows that only allow Winbox to use those ports. If they managed to install a infected version of Winbox the firewall will first ask if I want to allow traffic. This because Winbox itself has changed.

I don't have this kind of protection on Android or IOS.
 
User avatar
loloski
Member Candidate
Member Candidate
Posts: 276
Joined: Mon Mar 15, 2021 9:10 pm

Re: Mēris botnet information

Fri Sep 17, 2021 6:42 am

To further reduce the likehood of this, I hope mikrotik will also consider to. Bind winbox. On specific interface to the liking of sysadmin, so that winbox will not exposed on the Wan side interface, no firewall rules needed for some novice user, just my 0.2
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mēris botnet information

Fri Sep 17, 2021 9:00 am

Default configuration (on devices that come with default) on recent ROS versions includes this:
# Establish proper interface list membership
/interface list member 
add list=LAN interface=bridge comment="defconf"                                                                                       
add list=WAN interface=ether1 comment="defconf"

# block access to router's IP and IPv6 services originated not through one of LAN interfaces
# This includes also management access: telnet, ssh and winbox
/ip firewall filter
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
/ipv6 firewall filter
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

# allow discovery (MNDP) only on LAN interfaces
/ip neighbor discovery-settings 
set discover-interface-list=LAN

# allow MAC services (telnet and winbox) only through LAN interfaces
/tool mac-server 
set allowed-interface-list=LAN
/tool mac-server mac-winbox 
set allowed-interface-list=LAN

If one doesn't mindlessly change these settings and properly maintains interface list membership, router remains properly secured.

There are two notable exceptions:
  1. routers which come without any default config. These are "pro" line of devices (CCR, CRS and select RB models) and those require a knowledgeable administrator to properly configure device.
  2. routers which were initially configured with older ROS version or had IPv6 package installed and enabled after initial configuration reset. ROS upgrade and/or package install doesn't change configuration (other than upgrading some syntax if that's required).
    Nothing much to be done automatically in this case, automagical enforcement of default firewall rules would likely break existing firewall rules and upgrade procedure has no way of detecting the reason for firewall rules to be set in any particular way.


And no, I would not like to see some implicit filtering that can not be changed by (dumb?) administrator. ROS is so much liked by (pro?) users exactly because absolutely whole configuration is transparent to administrator and there's nothing administrator can not change. But yes, freedom does come with cost (which is extremely steep learning curve) and if a novice user can't bear that cost, (s)he should go to other vendor (not something MT would like to advertise, this would hurt their sales quite some I guess).

Perhaps MT's resellers should require buyers to posses some MTCxx certificate? ;-)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Fri Sep 17, 2021 11:21 am

We have updated the article on our blog. Please work with your ISPs to block the addresses the botnet is using:
https://blog.mikrotik.com/security/meris-botnet.html
 
kryztoval
newbie
Posts: 27
Joined: Tue Sep 07, 2021 10:46 pm

Re: Mēris botnet information

Wed Oct 20, 2021 1:19 pm

There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
As I got my first ever mikrotik device (a cute little R750Gr3) that I bought to serve as Multiwan Load Balancing and Fail over for my network I dared start fresh with no default settings. Just a beautiful blank canvas.

I should have known better! I got hit immediately with a script to fetch a file and open several ports for socks. I can say that socks (pun intended) but it was so much fun! Since I was just configuring it and I was looking frequently at what changes happened in "export" I noticed rather quickly that there was a new command I didn't issue and proceded to secure it before proceding any further.

I am loving this devices! Now I have 12 mikrotik devices and so much new things to try.

I looked at the script and found out it was common for rookies (like myself) to connect a router with no password or an unsafe password and get it 'hijacked'.

Thanks for the information, the support, the devices, and so much flexibility. I am so sad I didn't find this devices earlier in my life.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6694
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Mēris botnet information

Wed Oct 27, 2021 10:58 am

There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.
As I got my first ever mikrotik device (a cute little R750Gr3) that I bought to serve as Multiwan Load Balancing and Fail over for my network I dared start fresh with no default settings. Just a beautiful blank canvas.

I should have known better! I got hit immediately with a script to fetch a file and open several ports for socks. I can say that socks (pun intended) but it was so much fun! Since I was just configuring it and I was looking frequently at what changes happened in "export" I noticed rather quickly that there was a new command I didn't issue and proceded to secure it before proceding any further.

I am loving this devices! Now I have 12 mikrotik devices and so much new things to try.

I looked at the script and found out it was common for rookies (like myself) to connect a router with no password or an unsafe password and get it 'hijacked'.

Thanks for the information, the support, the devices, and so much flexibility. I am so sad I didn't find this devices earlier in my life.
It is sad, that someone removed default configuration (if it wasn't you on the first boot), as default configuration provide basic firewall that prevents from 99% attacks. I suggest to put at least basic firewall, that could be tuned later (do not forget to set password on your router),
https://wiki.mikrotik.com/wiki/Manual:S ... o_a_router
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mēris botnet information

Tue Nov 30, 2021 6:06 am

Thanks for the information, the support, the devices, and so much flexibility. I am so sad I didn't find this devices earlier in my life.
It is sad, that someone removed default configuration (if it wasn't you on the first boot), as default configuration provide basic firewall that prevents from 99% attacks.
That's true. But what's the other 1% on the WAN side?

Certainly the default firewall doesn't stop the open Wi-Fi on some devices used on initial setup of the device. That's at least one window of time when no firewall can help if attacking code on another Wi-Fi device looked for Wi-Fi APs starting with "Mikrotik XXXX", the attacking code just need proximity/wi-fi, since fixed admin/no password on LAN side.
 
User avatar
jp
Long time Member
Long time Member
Posts: 609
Joined: Wed Mar 02, 2005 5:06 am
Location: Maine
Contact:

Re: Mēris botnet information

Wed Dec 08, 2021 12:20 am

Screenshot from 2021-12-07 13-33-01.png
What software spreads this? We have a computer repair/cleanup shop and sometimes a client computer on the workbench tries to get into our mikrotik gateway.. Unsuccessfully of course, but with this instance, I did not find any malware on the computer with the IP address I've redacted... Appreciate any clues on what to clean up on the computers causing this in the Mikrotik logs. I've run avast, avast boot scan, malwarebytes, and spybot and not found anything.
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Mēris botnet information

Wed Dec 08, 2021 8:07 am

Look at other computers too.
Surely someone smart enough to put malware on a device, will use IP spoofing as well.
 
sblanchard
just joined
Posts: 2
Joined: Fri Oct 15, 2021 7:06 pm

Re: Mēris botnet information

Wed Dec 08, 2021 2:34 pm

I would do a wireshark capture of the traffic across the wire from the suspected machine to determine if it is truly the source of the attempted logins. If it is, I typically use TRON (https://github.com/bmrf/tron) to inspect a machine for malware and have had good success. It is a script that runs numerous different software looking for and fixing issues. I have not had to use it in the past year (it is constantly updated), so make sure YOU verify anything it does, as it is coming from an open source site, Github (i.e.; Use at your own risk). Good luck!
 
aoakeley
Member Candidate
Member Candidate
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: Mēris botnet information

Wed Dec 08, 2021 4:20 pm

Appreciate any clues on what to clean up on the computers causing this in the Mikrotik logs. I've run avast, avast boot scan, malwarebytes, and spybot and not found anything.
I think this is actually Avast. uninstall Avast and see if the issue goes away.
I think it is the "Avast Network Scan" module
 
User avatar
jp
Long time Member
Long time Member
Posts: 609
Joined: Wed Mar 02, 2005 5:06 am
Location: Maine
Contact:

Re: Mēris botnet information

Wed Dec 08, 2021 7:43 pm

Appreciate any clues on what to clean up on the computers causing this in the Mikrotik logs. I've run avast, avast boot scan, malwarebytes, and spybot and not found anything.
I think this is actually Avast. uninstall Avast and see if the issue goes away.
I think it is the "Avast Network Scan" module
It's the Avast wifi scan doing this... Comes with the free version of Avast. Appreciate everyone's help and thankful it's not botnet.
 
User avatar
deadkat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sun Nov 15, 2020 11:14 pm
Location: Alabama, USA

Re: Mēris botnet information

Thu Dec 09, 2021 5:07 pm

jp, I had seen the exact same behavior from my dad's pc trying to log into out mikrotik gateway at home. I got scared and thought his pc was on meris for a bit. glad to hear it may just be his avast subscription that caused my heart attack
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Sat Dec 11, 2021 11:36 am

Seeing exact behaviour on my PC. Hope the mikrotik problem solves asap.
This is not a MikroTik problem, it is an AVAST problem. You need to write to AVAST to have them solve it.
(they will probably claim it is not a problem but a good effort by them to locate infected routers)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Sat Dec 11, 2021 3:32 pm

Or remove AVAST. I never have had any problem with built in Microsoft Defender.
Not sure if AVAST is better or worse than MD, but what I know is that many running both and that is not good at all.
So if you pay (there are free version) for AVAST and it does not give any more than MD why pay.
Also MD is created by MS and may work better with Windows than AVAST.
 
janisbvp
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jul 15, 2010 10:33 am

Re: Mēris botnet information

Sat Dec 11, 2021 6:06 pm

Contemplating on this subject - wouldn't it be a nice idea for MT or someone outside to create a script, that runs over all public ip's and builds a list of vulnerable MT routers (or get that list from those cocky "investigators" that are publishing stories about Mikrotik), then a second script that goes over these vulnerable IP's, adds a rule to reset to defaults after some hours and runs auto upgrade. That should take care of the problem, but probably make MT upgrade server feel some pain. If you are reaching for keyboard to write something about legality of forcefully upgrading OS or changing settings to defaults - don't! One evil company from Redmond is doing that for maaaaany years and is quite fine and in our case it it serves good, not evil purpose.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Sat Dec 11, 2021 6:21 pm

What if the upgrade on a remote router goes wrong. Who would fix that and who would pay for some to fix it.
 
User avatar
deadkat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sun Nov 15, 2020 11:14 pm
Location: Alabama, USA

Re: Mēris botnet information

Mon Dec 13, 2021 5:20 am

pretty sure (correct me if im wrong) MS has a section about automatic updates from them in their TOS. MT does not.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Mon Dec 13, 2021 9:11 am

Contemplating on this subject - wouldn't it be a nice idea for MT or someone outside to create a script, that runs over all public ip's and builds a list of vulnerable MT routers (or get that list from those cocky "investigators" that are publishing stories about Mikrotik), then a second script that goes over these vulnerable IP's, adds a rule to reset to defaults after some hours and runs auto upgrade. That should take care of the problem, but probably make MT upgrade server feel some pain. If you are reaching for keyboard to write something about legality of forcefully upgrading OS or changing settings to defaults - don't! One evil company from Redmond is doing that for maaaaany years and is quite fine and in our case it it serves good, not evil purpose.
Sounds illegal, I don't think MikroTik can legitimately access or control other peoples devices.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Mon Dec 13, 2021 1:03 pm

Of course an option (not for the existing situation but for the future) would be to have an auto-update mechanism (enabled by default) in the router that updates the software when a critical vulnerability has been found. Preferably using a separate release channel that only changes in such cases.
Other manufacturers are doing that, so probably it is allowed.
 
ckonsultor
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Sun Nov 21, 2021 7:57 pm

Re: Mēris botnet information

Tue Dec 14, 2021 5:45 am

Has anybody tried the Meris detector at
https://github.com/eclypsium/mikrotik_m ... os-checker
?
Is there a binary or .rpm version? I'm a network guy and not so good with compiling C++ source code.
 
User avatar
deadkat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sun Nov 15, 2020 11:14 pm
Location: Alabama, USA

Re: Mēris botnet information

Tue Dec 14, 2021 9:34 pm

I've looked at that github. its made to be run from a PC on a LAN and will check ip addresses given as arguments when running.
it checks if router is exploitable via CVE-2018-14847 and then if that fails it requests credentials from you so that it can login to your router...

the only thing it checks for is whether any schedulers exist which contain the URLs mentioned here: https://blog.mikrotik.com/security/meris-botnet.html
it doesn't make any changes to your device as far as I can tell...personally I'd just recommend an update to 6.49.2 where possible to let MT's own device flagging feature do this for you.

I've personally has zero problems with updating to 6.49.x, although I know some others here have had problems with this update...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mēris botnet information

Sat Feb 26, 2022 5:08 pm

It does not send your IP anywhere, but there are bots that attempt to connect to all active IP addresses, just by guessing.
Anyway, if you see these logs your firewall is misconfigured. Looks like you need to apply the firwall rules to the interface you use to connect to internet. Possibly PPPoE then?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Mēris botnet information

Sat Feb 26, 2022 5:33 pm

....The question is, how do they know my router from hundreds of millions of IPs around the world and log in remotely within a few minutes?....
They do not know your IP ... they are testing every address which is valid. Your router is one from millions "victims" beeing tested against possible vulnerabilities. Check this https://www.abuseipdb.com/
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mēris botnet information

Sat Feb 26, 2022 5:41 pm

@wongdi Telnet/SSH/Winbox should never ever be open to the router from outside IP. Seeing your logs that someone tries to connect from public IP tells us that its open. VPN is nearly to one good way to work on remote routers. Make a new post (not this thread). Post your complete config and ask for assistanse.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Mon Feb 28, 2022 3:23 pm

Unless you have an enterprise grade router, for which it is expected that a competent admin configures it, the default MikroTik configuration is to block incoming connections from internet.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Mon Feb 28, 2022 4:24 pm

There usually is a conflict between "easy" and "secure".
 
afuchs
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Wed Jul 03, 2019 11:10 am

Re: Mēris botnet information

Mon Feb 28, 2022 5:10 pm

If you want it more difficult and minimally safer, have a look here
https://wiki.mikrotik.com/wiki/Port_Knocking
There are some interesting thread in the forum too.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mēris botnet information

Sat Mar 19, 2022 11:25 am

I'm afraid there is nothing you can do. The best solution probably is to buy a new one and configure it, ship it there and ask someone to plug it in.
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Mēris botnet information

Sat Mar 19, 2022 11:57 am

I know that the better solution is to reset the router or netinstall new firmware but the problem is that im too far from the device (thousands of miles) and no one have access there. Could you please advise me what can I do in such case?
+1 physically remove and replace/netinstall.
Also, as it is an LTE device, I'd try and disable the SIM/Telco service via the telco provider management. You are risking that the telco will do that anyway, when their IDS/IPS kicks in and thy will terminate/suspend your contract...better be pro-active.
I'd double check if the bot/captured device is generating/sending SMS (generating costs as per your tariff).

Who is online

Users browsing this forum: Majestic-12 [Bot] and 18 guests